The two security issues are XSS vulnerabilities. XSS (Cross Site Scripting) issues allow scripts and malicious HTML to be injected into the page, potentially allowing data theft or unauthenticated access.
- In the notices system, the name token was not escaped as expected. This could allow specially crafted requests to trigger an XSS for guests (or for a registered user to trigger an XSS on themselves).
- In the filter list system in the admin control panel, dynamic highlighting when filtering did not escape output properly, potentially triggering an XSS against the user viewing the page.
In addition, some of the bugs fixed in 1.4.8 include:
- Improved performance in the rich text editor.
- Fixed trophies not being awarded at session creation as expected.
- Fix certain cases where the image proxy would unexpectedly fail to detect a valid image.
- Support downloading attachments with UTF-8 file names in IE.
- Ensure a more correct following count is shown when viewing a member's profile in some cases.
- Throw an error when sending a warning and only one of the conversation title or message box has been completed.
- Fix an incorrect permission check over viewing the moderator actions taken against a thread.
- Fix incorrect logic relating to the DNSBL cache used at registration.
- Prune drafts hourly rather than daily.
- Fix a situation where the spam cleaner would not remove replies by a spammer to their own thread.
- Ensure that there is no default text decoration on <abbr> tags in Firefox.
- Use a new "simple" BB code formatter when creating snippets for RSS feeds to prevent unexpected code from running.
- Update the bundled version of jQuery Migrate to 1.2.1.
- Copying from the template preview in template modifications did not maintain line breaks in Firefox.
- Fix an issue importing older attachments from SMF.
- Fix an issue where the vBulletin importer could infinitely loop.
The following template has had changes: